Method and device for detecting Trojan in non-executable file

A technology for executing files and detection methods, applied in computer security devices, instruments, electrical and digital data processing, etc., can solve the problems of illegal function call difficulty, inability to fundamentally distinguish between normal program behavior and suspicious program behavior, etc., to ensure reliable sexual effect

Active Publication Date: 2010-09-08
XIAMEN MEIYA PICO INFORMATION
View PDF0 Cites 24 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The disadvantage of this method is: on the one hand, it is difficult to determine whether these functions are illegal calls. For example, some methods use the legality of the address of the function call to determine whether the system function call is from illegal memory. address (for example, heap address or stack address), but this method can be bypassed by forging the call address, and using the system function address as a springboard to pretend to be a system call to avoid monitoring; on the other hand, the implementation of this method is often at At the user privilege level, therefore, the monitoring can be

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting Trojan in non-executable file
  • Method and device for detecting Trojan in non-executable file
  • Method and device for detecting Trojan in non-executable file

Examples

Experimental program
Comparison scheme
Effect test

Example Embodiment

[0029] As shown in the accompanying drawings, a method for detecting a non-executable file hanging horse of the present invention includes the following steps:

[0030] The detection program 11 set in the user layer 1 of the operating system determines the non-executable document to be detected, and opens the process information of the non-executable document;

[0031] The monitoring module 21 set in the kernel layer 2 of the operating system monitors the process communication of opening the non-executable document;

[0032] The monitoring module 21 at the kernel layer of the operating system intercepts the file creation operation of the monitoring process, determines whether the file extension of the non-executable file is suspicious, and if so, informs the detection program at the user layer of the operating system 11 to suspend the process, warn the user, and record Suspicious behavior and prohibit execution, if not, continue monitoring;

[0033] The monitoring module 21 at the ker...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and a device for detecting Trojan in a non-executable file. Based on the Trojan property of the non-executable file, a process to be monitored is determined by operating a detection program of a system user layer and file creating operation of the process is monitored by operating a monitoring module of a system kernel layer to judge whether a file extension name is an executable file extension name under the system or not and judge whether the format of a written file contains the format characteristic of the executable file under the system or not so as to judge whether the program releases the executable file or not, namely, whether the Trojan exists in the non-executable file or not. The method and the device can effectively ensure the Trojan detection reliability for the non-executable file and is suitable for processing batch non-executable files and suitable for various operation systems.

Description

technical field [0001] The invention relates to a method for checking and killing viruses of non-executable files, in particular to a method and a device for detecting a horse hanging from a non-executable file. Background technique [0002] At present, non-executable documents, such as word, excel, powerpoint, pdf, etc., have been increasingly used to spread Trojan horses. These non-executable documents can often take advantage of overflow vulnerabilities to carry viruses or Trojan horse files, and when the program that opens the document generates an overflow, it can obtain execution authority, thereby generating and running a Trojan horse file. Since the virus or Trojan files hidden in the non-executable files are highly concealed, general antivirus software cannot completely detect and kill them, and those non-executable files carrying viruses or Trojan files are often System security caused great harm. [0003] At present, there are mainly three methods for virus dete...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F21/22G06F21/56
Inventor 吴鸿伟张永光张婷
Owner XIAMEN MEIYA PICO INFORMATION
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap